
CLAIMS 



What is claimed is: 

1. A metnod of operation at a file server comprising: 

5 accessing at said file server (i) information encrypted 

with a firsn: encryption key and (ii) an entry from an access 
control list, said entry being associated with said 
encrypted information and a client authorized to read and 
modify said encrypted information, wherein said entry 

0 comprises a tirst decryption key encrypted with a second 
encryption key and wherein said first decryption key is 
usable to decrypt said encrypted information . 

transmitting to said client said encrypted information 
and said entry. 

5 1 

2. The method of claim 1 further comprising prior to said 
accessing stepl: 

storing said information encrypted with said first 
encryption key Ion said file server; and 
0 storing salid entry on said file sierver. 

3. The method! of claim 1 wherein said transmitting step 
comprises the stlep of transmitting said encrypted 
information and Isaid entry in response to a request from 

5 said client. 1 

4. The method of claim 1 wherein said transmitting step 
comprises the step of transmitting to said requesting client 
said access control list. 

0 1 

5. The method off claim 1 wherein said first encryption key 
and said first dedryption key are symmetric. 
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6. The method of claim 1 wherein said first encryption key 
comprises one of a public key and a private key of a first 
public/privatie key pair and said first decryption key 
comprises the\ other of said public key and said private key 
of said first Vpublic/private key pair. 



10 



7 . The methoc^ of claim 2 wherein said step of storing said 
entry on said file server includes the step of storing in 
association with\ said entry an unecrypted identifier 
associated with said client. 



8 . The method df claim 2 wherein said step of storing said 
entry on said file server comprises the step of storing an 

15 access control list, wherein said entry comprises one entry 
of a plurality of lentries within said access control list, 
and said entry includes said first decryption key combined 
with a check valuel to form a data stream, wherein said data 
stream is encrypted with a second encryption key associated 

20 with said client; and 

said transmittling step comprises the step of 
transmitting to saip requesting client said encrypted 
information and said access control list. 



25 



30 



9. The method of tlaim 8 wherein said check value 
comprises a value kriown to said client - 



10. The method of c 
identifier associ 



.ated 



laim 8 wherein said check comprises an 
with said client. 



-31- 



ATTORNEY DOCKET NO. P4421 
WEINGARTEN, SCHURGIN, 
GAGNEBIN & HAYES, LLP 
TEL. {617) 542-2290 
FAX. (617) 451-0313 



11. The metrfod of claim 10 wherein said identifier 
comprises a cjLient identifier that serves to identify said 
client; 



12. The meth(pd of claim 8 wherein said identifier comprises 
a group identifier that identifies a group of which said 



client is a me 



)er . 
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13. A method 1 for securely storing information on a file 
server and distributing the stored information, said method 
comprising : 

encryptinc information at one of a plurality of clients 
in communication with said file server, said information 



being encrypte 
associated firs 

encrypting 
encryption key 
authorized to r 
respective one 
corresponding 
respective one 

storing sa 



with a first encryption key having an 
decryption key; 

said first decryption key with a second 
for each of said plurality of clients 
^ad and modify said information, wherein each 
of said second encryption keys has a 
econd decryption key retained by the 
f said plurality of clients; 
id encrypted information on said file server 
and storing on said file server said encrypted first 
decryption keys as a plurality of entries within an access 
control list, whesrein each one of said entries is associated 
with one of said Iplurality of clients; 

forwarding tlo at least a selected one of said plurality 
of clients said pncrypted information and at least one of. 
said entries; 

decrypting Isaid encrypted first decryption key 
contained in said lat least one of said entries utilizing the 
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second decryption key corresponding to the second encryption 
key for tpe respective entry; and 

deciypting said encrypted information using said first 
decryption key to obtain said information. 

14. The method of claim 13 wherein said forwarding step 
comprises \the step of forwarding said encrypted information 
and said at least one of said entries to said selected one 
of said plurality of clients in response to a request 
received atl said file server from said selected one of said 
plurality ok clients. 



15 



The me-: 



:hod of claim 14 wherein said request includes a 
client idenl:ifier associated with said selected one of said 
plurality of clients, said entries each include a client 
identifier associated with one of said plurality of clients, 
and wherein! said forwarding step includes the step of 
forwarding tp at least said selected one of said plurality 
of clients tlhe said entry including the client identifier 
associated wdlth the client identifier contained within said 
request . 



25 



16. The metHod of claim 13 wherein said forwarding step 
comprises the step of forwarding to said selected one of 
said plurality of clients said encrypted information and 
said access cqntrol list. 
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17. The methdd of claim 17 wherein said first encryption 
and decryption 1 keys are symmetric. 

18. The method of claim 13 wherein said second encryption 
and decryption |:eys are symmetric. 
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19. The metAod of claim 13 wherein said first encryption 
key comprises one of a public key and a private key of a 
first public/private key pair and the first decryption key 
comprises the other of said public key and said private key 
of said first 1 public/private key pair. 



10 comprising the 
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20. A method! for storing information securely on a file 
server for ac^cess by members of a group, said method 

steps of: 

identifyir.g the members of said group, wherein said 
group has a grqup identifier, 

information with a first encryption key 
iated first decryption key; 

said first decryption key with a group 
having an associated group decryption key for 
encrypted with said group encryption key; 



encryptinc[ 
having an assoc 

encryptinc 
encryption key 
decrypting date 
and 

storing sa 



Ld encrypted information on said file server 
and storing said encrypted first decryption key on said file 
server within an access control list associated with said 
encrypted infortiation and containing, at least at some 

by of encrypted first decryption keys. 



times, a plurali 



25 21. A method for accessing information securely stored on a 



file server for 
comprising: 

identifying 
group has a groufi 

encrypting 
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access by members of a group, said method 

the members of said group, wherein said 
identifier, 

information with a first encryption key 



having an associated first decryption key; 
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encryptir/g said first decryption key with a group 
encryption key having an associated group decryption key for 



decrypting da 
storing 



:a encrypted with said group encryption key; 
said encrypted information on said file server 
and storing said encrypted first decryption key on said file 
server within! an access control list associated with said 
encrypted information and containing, at least at some 
times, a plurallity of encrypted first decryption keys. 

in response to a request received at said file server 
from one of said members of said group, forwarding to said 
one of said members of said group said encrypted information 



and at least £> 



with said grouD encryption key; 



in a firs 
first decrypt:. 



aid encrypted first decryption key encrypted 



t decrypting step, decrypting said encrypted 
on key with said group decryption key to 
obtain said fitst decryption key; and 

in a second decrypting step, decrypting said encrypted 
information usa\ng said first decryption key to obtain said 
information . 

22. The methodl of claim 21 wherein said method further 
includes the step of distributing said group decryption key 
to said members pf said group and said first decrypting step 
comprises the jstep of decrypting the encrypted first 
decryption key lf)y said one of said members of said group 
using the distributed group decryption key. 



30 



23. The method of claim 21 wherein said first decrypting 
step comprises tne steps of: 

forwarding said encrypted first decryption key to a 
group server associated with said group identifier; 
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decrypfting said encrypted first decryption key at said 
group server using said group decryption key; and 

forwarding said first decryption key to said one of 
said group members. 



10 



24. The method of claim 23 wherein said step of forwarding 
said first decryption key to said one of said group members 
comprises the! step of forwarding the first decryption key to 
said one of said group members over a secure channel. 



25, 



The metho 



d of claim 24 wherein said secure channel is a 



physically secure channel, 



26. The meth<t)d of claim 24 wherein said secure channel 
15 comprises a nc|n-secure communications path and said step of 
forwarding thd first decryption key to said one of said 
group members aver a secure channel comprises the steps of: 

encrypting! said first decryption key with a third 
encryption key I having an associated third decryption key 
20 known to said one of said group members; 

forwarding 1 to said one of said group members said 
encrypted first I decryption key encrypted with said third 
encryption key; And 

decrypting py said one of said group members, said 
25 encrypted first (decryption key encrypted with said third 
encryption key ustLng said third decryption key. 



30 



27 . The method i)f claim 2 6 wherein said third encryption 
key comprises a dublic key of a member public/private key 
pair and wherein Isaid third decryption key comprises the 
member private key I of said member public/private key pair. 
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28. The me 
and decrypt! 



on 



29. The met 
5 and decrypt! 



hod of cla!m 26 where!n sa!d third encryption 
keys are symmetric. 



"Lod of claim 21 wherein said first encryption 
keys are symmetric. 



cn 



30. The metljiod of claim 21 wherein said first encryption 
key comprise^ one of a public key and a private key of a 
first public/private key pair and the first decryption key 
comprises the other of said public key and said private key 
of said first] public/private key pair. 
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31. A methoq for accessing information stored securely on a 
file server 

forwardi|ng to said file server a request for 
information ftom a client; 

in response to said request, receiving from said file 
server said information encrypted with a first encryption 
key having an associated first decryption key and at least 
one access cpntrol list entry associated with a client 
authorized td read and modify said information, said 
received at Idast one entry including said first decryption 
key encrypted! with a second encryption key having an 
associated secAnd decryption key; 

decrypting said encrypted first decryption key using 
said second decryption key to obtain said first decryption 
key; and 

decrypting! said encrypted information using said first 
decryption key. 

32. The method 1 of claim 31 wherein said first encryption 
and decryption keys are symmetric. 
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33. The methc 
key comprises 
first public/p 
comprises the 
of said first 



d of claim 31 wherein said first encryption 
one of a public key and a private key of a 
rivate key pair and the first decryption key 
other of said public key and said private key 
public/private key pair. 



34. The method of claim 31 wherein said second encryption 
key comprises la public key of a member public/private key 

10 pair and said second decryption key comprises the private 
key of said member public/private key pair. 

35. A compute!' program product including a computer 
readable mediun|, said computer readable medium having a 

15 file server combuter program stored thereon, said file 
server computerj program for execution in a computer and 
comprising : 

program code for storing on said file server 
information encrypted with a first encryption key having a 
2 0 corresponding first decryption key; 

program code for storing on said file server an access 
control list, saald access control list including at least 
one entry, said at least one entry including said first 
decryption key encrypted with a second encryption key 



25 associated with oi 



e of a plurality of clients authorized to 



read and modify said information and having access to a 



second decryption 
key; and 

program code 



key associated with said second encryption 
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for transmitting to said one of said 
plurality of clieni:s said encrypted information and said at 
least one entry. 
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program 
information 



36. A computier data signal^ said computer data signal 
including a computer program for use in accessing 
encrypted ini ormation stored on a file server, said 
computer program comprising: 



code for storing on said file server 
encrypted with a first encryption key having a 
corresponding first decryption key; 

program code for storing on said file server an access 
control listj said access control list including at least 
one entry, e4ch of said at least one entry including said 

ion key encrypted with a second encryption key 
th one of a plurality of clients authorized to 
fy said information and having access to a 
second decryp|tion key associated with said second encryption 
key; and 

code for transmitting to said one of said 
clients said encrypted information and said 
entry. 



first decrypt, 
associated wi, 
read and modi 



program 
plurality of 
at least one 



37. Apparatufe for accessing encrypted data stored on a file 
server comprif ;ing : 

means for storing on said file server information 
encrypted with! a first encryption key having a corresponding 
first decryption key; 

means fori storing on said file server an access control 
list, said access control list including at least one entry, 
said at least one entry including said first decryption key 
encrypted with p second encryption key associated with one 
of a plurality of clients authorized to read and modify said 
information and! having access to a second decryption key 
associated withlsaid second encryption key; and 
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program 
plurality of 



least one entry 



code for transmitting to said one of said 
clients said encrypted information and said at 
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